This action polls a Bright scan until it returns a detected issue, or its time runs out.

Bright is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love.

Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports

Bright works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing.

One file. One command. One scan. No UI needed.

Interacts with applications and APIs, instead of just crawling them and guessing. Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks.

Stop chasing ghosts and wasting time. Bright doesn’t return false positives, so you can focus on releasing code.

Bright tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities.

More information is available on Bright’s:

• Website
• Knowledge base
• YouTube channel
• GitHub Actions

Required. Your Bright API authorization token (key). You can generate it in the Organization section in the Bright app. Find more information here.

Example: api_token: ${{ secrets.NEURALEGION_TOKEN }}

Required. ID of an existing scan to be restarted. You can get the scan ID in the Scans section in the Bright app.

Example: scan: ${{ steps.start.outputs.id }}

Required. Set the severity of the first issue to wait for: any, medium, high.

Example: wait_for: any

Required. Time for polling in seconds.

Example: timeout: 55

If set to true, allows you to stop a scan after the action has completed.

Example: stop_scan: true

If set to true, uploads SARIF scan data to GitHub so that scan results are available from Code Scanning. Requires to be set github_token.

Example: code_scanning_alerts: true

To use code scanning in private and internal repositories, you need to enable GitHub Advanced Security features for the repository.

You can find more details on how to manage your repository's security and analysis settings in the Managing security and analysis settings for your repository documentation.

URL of the resulting scan.

start_and_wait_scan:
  runs-on: ubuntu-latest
  name: A job to run a NeuraLegion scan
  steps:
    - name: Start NeuraLegion Scan 🏁
      id: start
      uses: NeuraLegion/run-scan@master
      with:
        api_token: ${{ secrets.NEURALEGION_TOKEN }}
        name: GitHub scan ${{ github.sha }}
        discovery_types: |
          [ "crawler", "archive" ]
        crawler_urls: |
          [ "https://juice-shop.herokuapp.com" ]
        file_id: LiYknMYSdbSZbqgMaC9Sj
        hosts_filter: |
          [ ]
        wait_for: high
    - name: Get the output scan url
      run: echo "The scan was started on ${{ steps.start.outputs.url }}"
    - name: Wait for any issues ⏳
      id: wait
      uses: NeuraLegion/wait-for@master
      with:
        api_token: ${{ secrets.NEURALEGION_TOKEN }}
        scan: ${{ steps.start.outputs.id }}
        wait_for: any
        timeout: 55
        code_scanning_alerts: true
        github_token: ${{ github.token }}